Penetration Testing mailing list archives
Re: [PEN-TEST] Ethics Scenario
From: Edward Mitchell <ed () THE7THBEER COM>
Date: Mon, 2 Oct 2000 13:40:56 -0700
"Poking around" and "using the site" infer/imply two very different and distinct things in my mind. "Using the site" -- literally that. Using it as a customer or legitimate user would and finding a problem. That should be reported to the site owners ASAP. Let the owners decide if they want help securing things and let them decide if they want to enlist your help. This happened to a friend of mine who is not a computer-type...he was ordering some candy from candy.com and ended up with a screen full of credit card orders. He emailed them at my advice and got lots of free candy in return. :) Poking around means just that....you're looking for a weakness and acting with a purpose other than day-to-day use. That's a very grey, bordering on black, area. If someone did that to my site and then said "Hey, we only charge $500/hour for an audit and patches", I'd probably be on the phone to my attorney and local law enforcement, not to mention the BBB and anyone else who would listen. On Mon, 2 Oct 2000, Christopher M. Bergeron wrote:
Here's a scenario that I'd like to get peoples' input on: A) Our company does pen-tests, security auditing etc... B) Our team finds a vulnerability/hole on a website just by poking around / using the site. The question is this: Do we tell the website company who we are and that we have discovered a vulnerability and then offer to provide them assistance with the vulnerability (for pay of course). i.e. offering them a full pen-test or an IDS or something...? Or does this tend to fall into the "chasing ambulances" type of business marketing strategy?
Current thread:
- [PEN-TEST] Ethics Scenario Christopher M. Bergeron (Oct 02)
- Re: [PEN-TEST] Ethics Scenario Edward Mitchell (Oct 02)
- Re: [PEN-TEST] Ethics Scenario SM (Oct 02)
- Re: [PEN-TEST] Ethics Scenario Erik Tayler (Oct 02)
- Re: [PEN-TEST] Ethics Scenario Erik Tayler (Oct 02)
- <Possible follow-ups>
- Re: [PEN-TEST] Ethics Scenario Dunker, Noah (Oct 02)
- Re: [PEN-TEST] Ethics Scenario Steve (Oct 02)
- Re: [PEN-TEST] Ethics Scenario Tonick, Mike (Oct 02)
- Re: [PEN-TEST] Ethics Scenario Gallicchio, Florindo (2282) (Oct 02)
- Re: [PEN-TEST] Ethics Scenario Darryl Rathbun (Oct 02)
- Re: [PEN-TEST] Ethics Scenario Spy Fox (Oct 02)